axbanker | 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217

Analysis

max time kernel
147s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2025, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
Size

36.6MB
MD5

19773de3aada9bebac1c8a284059e0a5
SHA1

482dcb8326ab158a0b054516cede9d80119dca7b
SHA256

4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217
SHA512

829ee42d011ca1064a272fc626540b5ddf115d1e59e8e107b185def9ced215b96ce3018c7ff4a8a6c30893e313c64e1df58e7771e1d2f868fcfa61c7ecd56346
SSDEEP

786432:w5iyxGxoo4kxSjEN0CgFjaj2G8NkzJD4pSbN+WYbO7fqffK:w01xoLvCgxayG8NkzJDaSbN+WY8qffK

Score

10^/10

axbanker banker discovery evasion infostealer persistence privilege_escalation themida trojan

Malware Config

Signatures

AxBanker
AxBanker is an Android banking trojan that targets bank customers information distributed through fake bank applications.
banker infostealer axbanker
Axbanker family
axbanker

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BtlhzpOVFhG.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BtlhzpOVFhG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BtlhzpOVFhG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	BtlhzpOVFhG.exe

Executes dropped EXE 2 IoCs

pid	Process
1912	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
408	BtlhzpOVFhG.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4804-13-0x0000000000270000-0x0000000003772000-memory.dmp	themida
behavioral2/memory/4804-14-0x0000000000270000-0x0000000003772000-memory.dmp	themida
behavioral2/memory/4804-36-0x0000000000270000-0x0000000003772000-memory.dmp	themida
behavioral2/files/0x0007000000023cb2-37.dat	themida
behavioral2/memory/1912-43-0x0000000000290000-0x00000000039EA000-memory.dmp	themida
behavioral2/memory/1912-44-0x0000000000290000-0x00000000039EA000-memory.dmp	themida
behavioral2/files/0x0003000000000711-48.dat	themida
behavioral2/memory/408-54-0x00000000009F0000-0x00000000042A2000-memory.dmp	themida
behavioral2/memory/408-55-0x00000000009F0000-0x00000000042A2000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BtlhzpOVFhG.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
1912	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
408	BtlhzpOVFhG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 27 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BtlhzpOVFhG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
1336	netsh.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
1912	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
1912	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
408	BtlhzpOVFhG.exe
408	BtlhzpOVFhG.exe
408	BtlhzpOVFhG.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
Token: SeDebugPrivilege	1912	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
Token: SeDebugPrivilege	408	BtlhzpOVFhG.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
408	BtlhzpOVFhG.exe
408	BtlhzpOVFhG.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 4144	4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe	82
PID 4804 wrote to memory of 4144	4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe	82
PID 4804 wrote to memory of 3684	4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe	91
PID 4804 wrote to memory of 3684	4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe	91
PID 4804 wrote to memory of 3684	4804	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe	91
PID 3684 wrote to memory of 1568	3684	cmd.exe	93
PID 3684 wrote to memory of 1568	3684	cmd.exe	93
PID 3684 wrote to memory of 1568	3684	cmd.exe	93
PID 3684 wrote to memory of 764	3684	cmd.exe	94
PID 3684 wrote to memory of 764	3684	cmd.exe	94
PID 3684 wrote to memory of 764	3684	cmd.exe	94
PID 3684 wrote to memory of 1912	3684	cmd.exe	95
PID 3684 wrote to memory of 1912	3684	cmd.exe	95
PID 3684 wrote to memory of 1912	3684	cmd.exe	95
PID 1912 wrote to memory of 3964	1912	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe	96
PID 1912 wrote to memory of 3964	1912	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe	96
PID 1912 wrote to memory of 408	1912	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe	97
PID 1912 wrote to memory of 408	1912	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe	97
PID 1912 wrote to memory of 408	1912	4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe	97
PID 408 wrote to memory of 1148	408	BtlhzpOVFhG.exe	98
PID 408 wrote to memory of 1148	408	BtlhzpOVFhG.exe	98
PID 408 wrote to memory of 4440	408	BtlhzpOVFhG.exe	99
PID 408 wrote to memory of 4440	408	BtlhzpOVFhG.exe	99
PID 408 wrote to memory of 4440	408	BtlhzpOVFhG.exe	99
PID 408 wrote to memory of 2588	408	BtlhzpOVFhG.exe	100
PID 408 wrote to memory of 2588	408	BtlhzpOVFhG.exe	100
PID 408 wrote to memory of 2588	408	BtlhzpOVFhG.exe	100
PID 408 wrote to memory of 4596	408	BtlhzpOVFhG.exe	101
PID 408 wrote to memory of 4596	408	BtlhzpOVFhG.exe	101
PID 408 wrote to memory of 4596	408	BtlhzpOVFhG.exe	101
PID 408 wrote to memory of 4892	408	BtlhzpOVFhG.exe	102
PID 408 wrote to memory of 4892	408	BtlhzpOVFhG.exe	102
PID 408 wrote to memory of 4892	408	BtlhzpOVFhG.exe	102
PID 408 wrote to memory of 5100	408	BtlhzpOVFhG.exe	103
PID 408 wrote to memory of 5100	408	BtlhzpOVFhG.exe	103
PID 408 wrote to memory of 5100	408	BtlhzpOVFhG.exe	103
PID 408 wrote to memory of 4084	408	BtlhzpOVFhG.exe	104
PID 408 wrote to memory of 4084	408	BtlhzpOVFhG.exe	104
PID 408 wrote to memory of 4084	408	BtlhzpOVFhG.exe	104
PID 408 wrote to memory of 1544	408	BtlhzpOVFhG.exe	105
PID 408 wrote to memory of 1544	408	BtlhzpOVFhG.exe	105
PID 408 wrote to memory of 1544	408	BtlhzpOVFhG.exe	105
PID 408 wrote to memory of 1336	408	BtlhzpOVFhG.exe	106
PID 408 wrote to memory of 1336	408	BtlhzpOVFhG.exe	106
PID 408 wrote to memory of 1336	408	BtlhzpOVFhG.exe	106
PID 408 wrote to memory of 1364	408	BtlhzpOVFhG.exe	107
PID 408 wrote to memory of 1364	408	BtlhzpOVFhG.exe	107
PID 408 wrote to memory of 1364	408	BtlhzpOVFhG.exe	107

C:\Users\Admin\AppData\Local\Temp\4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
"C:\Users\Admin\AppData\Local\Temp\4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-startup-window --start-in-incognito
  2⤵
  PID:4144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 4 & Del /F /Q "C:\Users\Admin\AppData\Local\Temp\4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe" & choice /C Y /N /D Y /T 2 & Move /Y "C:\Users\Admin\AppData\Local\Temp\tmpE3E8.tmp" "C:\Users\Admin\AppData\Local\Temp\4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe" & Start "" /D "C:\Users\Admin\AppData\Local\Temp" "4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1568
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:764
- - C:\Users\Admin\AppData\Local\Temp\4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
    "4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-startup-window --start-in-incognito
      4⤵
      PID:3964
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Network\host\Btlh\BtlhzpOVFhG.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Network\host\\Btlh\BtlhzpOVFhG.exe" MAIN_EXE
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:408
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-startup-window --start-in-incognito
        5⤵
        
        PID:1148
    - - C:\Windows\SysWOW64\netsh.exe
        
        "netsh" int tcp set heuristics disabled
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4440
    - - C:\Windows\SysWOW64\netsh.exe
        
        "netsh" int tcp set global autotuninglevel=normal
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2588
    - - C:\Windows\SysWOW64\netsh.exe
        
        "netsh" int tcp set global congestionprovider=ctcp
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4596
    - - C:\Windows\SysWOW64\netsh.exe
        
        "netsh" int tcp set global ecncapability=default
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4892
    - - C:\Windows\SysWOW64\netsh.exe
        
        "netsh" int tcp set global rss=enabled
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5100
    - - C:\Windows\SysWOW64\netsh.exe
        
        "netsh" int tcp set global chimney=disabled
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4084
    - - C:\Windows\SysWOW64\netsh.exe
        
        "netsh" int tcp set global dca=enabled
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1544
    - - C:\Windows\SysWOW64\netsh.exe
        
        "netsh" int tcp set global timestamps=disabled
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Time Discovery
        
        PID:1336
    - - C:\Windows\SysWOW64\netsh.exe
        
        "netsh" int tcp set global rsc=enabled
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE3E8.tmp

Filesize
36.2MB

MD5
e6bc7ea5d65ac4164764461138dae6f6

SHA1
bfa7c7e4b8d962206012a168bd83e7f5fd5784f5

SHA256
34cd7628b947c3dabbf76ce8e47fe72217d6b2210304a6e1f000bddbcd3e13d9

SHA512
7d98f84d407050158ba4705cab7443b1b90894b18e571926404b95646eca8a69f881d9487afbbded78f9cedb18a07e2ecf0a9de2e838762a7112d3d105db337f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\host\Btlh\BtlhzpOVFhG.exe

Filesize
22.2MB

MD5
069114a0b88feb59473387cec3fc4d9a

SHA1
ca7c7b73a9c329399715add956847f092ffea68e

SHA256
9a506bdd18ab1e26e8f9d0d1d95a0d83984ebcf8c915ac8a962f579f724a53ac

SHA512
c9de619ca7f8037e75de9ea9a3fdc562357197bc418ff40cd7c50295008d77e2e7c7c980141903b796cf5a99c1c5fb1feec5b5532635f5f3a5919f0511881d2d

Download Submit
memory/408-67-0x000000000A040000-0x000000000A06A000-memory.dmp

Filesize
168KB

Download
memory/408-64-0x0000000009710000-0x0000000009722000-memory.dmp

Filesize
72KB

Download
memory/408-84-0x000000000D230000-0x000000000D9D6000-memory.dmp

Filesize
7.6MB

Download
memory/408-83-0x000000000ACA0000-0x000000000AD12000-memory.dmp

Filesize
456KB

Download
memory/408-80-0x000000000AC30000-0x000000000AC38000-memory.dmp

Filesize
32KB

Download
memory/408-81-0x000000000AC40000-0x000000000AC72000-memory.dmp

Filesize
200KB

Download
memory/408-82-0x000000000AC80000-0x000000000AC96000-memory.dmp

Filesize
88KB

Download
memory/408-79-0x000000000AC20000-0x000000000AC28000-memory.dmp

Filesize
32KB

Download
memory/408-78-0x000000000AB50000-0x000000000ABF8000-memory.dmp

Filesize
672KB

Download
memory/408-56-0x0000000006B10000-0x0000000006B1A000-memory.dmp

Filesize
40KB

Download
memory/408-75-0x000000000AAB0000-0x000000000AB08000-memory.dmp

Filesize
352KB

Download
memory/408-77-0x000000000AB40000-0x000000000AB50000-memory.dmp

Filesize
64KB

Download
memory/408-55-0x00000000009F0000-0x00000000042A2000-memory.dmp

Filesize
56.7MB

Download
memory/408-74-0x000000000AA90000-0x000000000AAAC000-memory.dmp

Filesize
112KB

Download
memory/408-72-0x000000000A930000-0x000000000AA1E000-memory.dmp

Filesize
952KB

Download
memory/408-71-0x000000000A790000-0x000000000A91C000-memory.dmp

Filesize
1.5MB

Download
memory/408-54-0x00000000009F0000-0x00000000042A2000-memory.dmp

Filesize
56.7MB

Download
memory/408-66-0x000000000A010000-0x000000000A036000-memory.dmp

Filesize
152KB

Download
memory/408-68-0x000000000A070000-0x000000000A094000-memory.dmp

Filesize
144KB

Download
memory/408-69-0x000000000A0A0000-0x000000000A64A000-memory.dmp

Filesize
5.7MB

Download
memory/408-65-0x0000000009FA0000-0x000000000A016000-memory.dmp

Filesize
472KB

Download
memory/408-63-0x0000000009700000-0x0000000009708000-memory.dmp

Filesize
32KB

Download
memory/408-62-0x0000000009CD0000-0x0000000009F9C000-memory.dmp

Filesize
2.8MB

Download
memory/408-61-0x0000000009580000-0x00000000096B2000-memory.dmp

Filesize
1.2MB

Download
memory/408-60-0x00000000094B0000-0x000000000956C000-memory.dmp

Filesize
752KB

Download
memory/408-59-0x0000000009460000-0x00000000094AA000-memory.dmp

Filesize
296KB

Download
memory/408-58-0x0000000006E50000-0x0000000006E76000-memory.dmp

Filesize
152KB

Download
memory/408-76-0x000000000AB20000-0x000000000AB46000-memory.dmp

Filesize
152KB

Download
memory/408-73-0x000000000AA30000-0x000000000AA94000-memory.dmp

Filesize
400KB

Download
memory/408-57-0x00000000093B0000-0x0000000009450000-memory.dmp

Filesize
640KB

Download
memory/1912-44-0x0000000000290000-0x00000000039EA000-memory.dmp

Filesize
55.4MB

Download
memory/1912-43-0x0000000000290000-0x00000000039EA000-memory.dmp

Filesize
55.4MB

Download
memory/4804-2-0x00000000750A0000-0x0000000075190000-memory.dmp

Filesize
960KB

Download
memory/4804-25-0x00000000750A0000-0x0000000075190000-memory.dmp

Filesize
960KB

Download
memory/4804-5-0x00000000750A0000-0x0000000075190000-memory.dmp

Filesize
960KB

Download
memory/4804-8-0x00000000750A0000-0x0000000075190000-memory.dmp

Filesize
960KB

Download
memory/4804-36-0x0000000000270000-0x0000000003772000-memory.dmp

Filesize
53.0MB

Download
memory/4804-35-0x00000000750A0000-0x0000000075190000-memory.dmp

Filesize
960KB

Download
memory/4804-24-0x0000000008DD0000-0x0000000008DDA000-memory.dmp

Filesize
40KB

Download
memory/4804-0-0x0000000000270000-0x0000000003772000-memory.dmp

Filesize
53.0MB

Download
memory/4804-23-0x00000000750A0000-0x0000000075190000-memory.dmp

Filesize
960KB

Download
memory/4804-7-0x00000000750A0000-0x0000000075190000-memory.dmp

Filesize
960KB

Download
memory/4804-4-0x00000000750A0000-0x0000000075190000-memory.dmp

Filesize
960KB

Download
memory/4804-21-0x00000000750A0000-0x0000000075190000-memory.dmp

Filesize
960KB

Download
memory/4804-15-0x0000000008F80000-0x0000000009524000-memory.dmp

Filesize
5.6MB

Download
memory/4804-20-0x00000000750A0000-0x0000000075190000-memory.dmp

Filesize
960KB

Download
memory/4804-17-0x0000000000270000-0x0000000003772000-memory.dmp

Filesize
53.0MB

Download
memory/4804-16-0x0000000006260000-0x00000000062F2000-memory.dmp

Filesize
584KB

Download
memory/4804-19-0x00000000750A0000-0x0000000075190000-memory.dmp

Filesize
960KB

Download
memory/4804-14-0x0000000000270000-0x0000000003772000-memory.dmp

Filesize
53.0MB

Download
memory/4804-13-0x0000000000270000-0x0000000003772000-memory.dmp

Filesize
53.0MB

Download
memory/4804-9-0x00000000750A0000-0x0000000075190000-memory.dmp

Filesize
960KB

Download
memory/4804-1-0x00000000750C0000-0x00000000750C1000-memory.dmp

Filesize
4KB

Download
memory/4804-22-0x00000000750A0000-0x0000000075190000-memory.dmp

Filesize
960KB

Download
memory/4804-3-0x00000000750A0000-0x0000000075190000-memory.dmp

Filesize
960KB

Download
memory/4804-6-0x00000000750A0000-0x0000000075190000-memory.dmp

Filesize
960KB

Download